I can’t recall exactly when it happened, but at some point the term “identity management” became a wildly popular (and overused) buzz word in physical access. I have to admit, it’s catchy, very easy on the ears, and makes everything seem as though it is relevant to any security aspiration.
The black and white lines that once existed between physical access and identity management have begun to disappear. However, they still exist, but they have become blurred and consist of many shades of gray. By virtue of referring to almost every product or activity as that of identity management, it prevents meaningful dialogue from occurring and driving toward specific ideas and objectives.
After all, this isn’t the first time this has happened. Remember “convergence?” Vendors were pitching, partners were pushing, and end-users were listening. However, the irony was that most of the vendors weren’t listening to the end-users. The feedback I have received from many global security managers (CSOs, CIOs, CISOs, etc.) was that proposed solutions did not address core program objectives, nor could the vendors explain how the solution would technically solve their business objectives. Translation – they weren’t relevant and would not be a good investment.
I don’t want anyone to get the impression that I am against convergence because this would be false. I will go on record that the frenzy was poorly executed and shot itself in the foot. At the same time, I also believe convergence is happening, but in a much different way than the market had anticipated (which will be a topic for another time). My point is that buzz needs to demonstrate relevance to an organization’s specific objectives. If identity management aims to achieve operational efficiency, then the enterprise must first achieve organizational effectiveness by establishing common, cross-functional, and collaborative goals. The core of this is speaking the same language and using the same definitions at a detailed level. Blanket buzz terms that span just about every product don’t contribute terribly well other than to get everyone to the table with perhaps some level of enthusiasm. And when they get there, they sometimes realize they are pretty far apart.
Several months ago I was briefed by a CSO that explained he had setup a cross-functional meeting between IT and physical security with the objective of trying to reduce costs while improving policy enforcement to meet growing compliance measures through operational improvements in identity management. It didn’t go too well.
In the meeting, physical and IT took turns overviewing their challenges and what they would like to fix. The meeting evolved into each side expressing concerns that there was a disconnect. Each side was struggling to know how directories, attributes and SAML (Security Assertion Markup Language) or lanyards, badges and turnstiles respectively were relevant to the topic of identity management. People got frustrated and the meeting ended. There were a couple follow-on attempts but fatigue took over and the two groups were resigned to just not work with one another thinking the other didn’t “get it”.
The CSO wanted to see if I could help get it back on track. We agreed that the lesson was that transitioning from buzz to real dialogue mandates some conscious cultivation. We drafted some ground rules for the next meeting that proceed to be successful. Here is a summary of some of them.
• Create a shadowing program to foster understanding and respect for one another’s roles
• Get them thinking how to solve problems together through mutual insight, not in a meeting vacuum.
• Encourage language that is descriptive and specific. Get away from high-level terminology.
• Develop common vocabulary between groups.
• Inventory current processes and explain what is trying to be achieved
• Highlight the overlaps to use as integration points.
• Outline the gaps that do not meet current requirements and how to remediate.